Privacy First

Privacy Policy

Your privacy matters to us. This policy explains how we collect, use, and protect your data.

Last updated: December 29, 2025

Our Privacy Principles

Data Minimization

We only collect the data we need to provide our API services.

Transparency

We are open and honest about what data we collect and how we use it.

Your Control

You have control over your data and can view, change, or delete it at any time.

Information We Collect

Information You Provide to Us

  • Account information: Name, email address, password during registration
  • API token data: Token names, scopes, and rate limits that you configure
  • API usage information: API calls, endpoints used, request/response data
  • Communication: Messages you send to us or exchange through our platform
  • Payment information: Credit card data and billing addresses for point purchases (securely processed by Polar)

Automatically Collected Information

  • Usage data: How you interact with our platform, pages visited, API documentation accessed
  • Device information: IP address, browser type, operating system, device identifiers
  • Analytics: Performance metrics and error reports to improve our services
  • Cookies: Small files to personalize and improve your experience

How We Use Your Information

Service Provision

  • Process your API requests and return results
  • Manage your API tokens and authentication
  • Track points balance and usage across APIs
  • Provide API documentation and interactive examples

Platform Improvement

  • Enhance our API algorithms and performance
  • Develop new APIs and features based on user needs
  • Identify and fix technical issues
  • Provide personalized customer support and assistance

How We Use Your Data

Detailed Explanation of Data Usage

We believe in complete transparency about how we use your data. Below is a comprehensive breakdown of what data we collect and exactly how it is used across our platform.

Data Usage by Category

Account & Authentication Data

Your account information (name, email, password) is used exclusively for:

  • User authentication: Verifying your identity when you log in
  • Account management: Allowing you to access and manage your dashboard
  • Communication: Sending important service updates and security notifications
  • Password recovery: Enabling secure password reset functionality

Account data is retained as long as your account is active and deleted within 30 days after account closure.

API Usage & Request Data

When you make API calls, we collect and use the following data:

  • Request metadata: API endpoint called, timestamp, request duration
  • Points consumption: Number of points deducted for each API call
  • Success/failure status: Whether the API call completed successfully
  • Error codes: If an API call fails, the error code for troubleshooting

This data is used for:

  • Billing accuracy: Ensuring you are charged the correct number of points
  • Usage analytics: Providing you with insights in your dashboard
  • Performance monitoring: Identifying and fixing slow or failing endpoints
  • Fraud prevention: Detecting unusual or abusive API usage patterns

API usage logs are retained for 24 months for billing verification and analytics purposes.

API Request & Response Content

We do NOT permanently store the content of your API requests or responses (such as the text you send to our Structify API or images you process). Request/response content is:

  • Processed in-memory: Your data is processed only to generate the API response
  • Not logged: We do not save the actual content of requests or responses
  • Immediately discarded: After the API response is returned, content is deleted
  • Encrypted in transit: All data is encrypted end-to-end during transmission

Exception: Error debugging logs may contain small snippets of request data for up to 7 days to help diagnose technical issues. These logs are automatically purged after 7 days.

API Token Management Data

Your API tokens and their configuration (name, scopes, rate limits) are used to:

  • Authenticate API requests: Verify that requests are authorized
  • Enforce rate limits: Prevent excessive API usage
  • Track usage by token: Allow you to monitor usage per token in your dashboard
  • Revoke access: Enable you to immediately invalidate compromised tokens

Token data is retained until you delete the token or close your account.

Payment & Billing Data

Payment information (processed securely by Polar.sh) is used for:

  • Point purchases: Processing your purchases of point packages
  • Transaction records: Generating invoices and receipts
  • Tax compliance: Meeting legal requirements for financial record-keeping
  • Fraud prevention: Detecting and preventing fraudulent transactions

Important: AppHighway never stores your full credit card information. All payment processing is handled by Polar.sh (PCI DSS compliant).

Payment records are retained for 7 years to comply with tax and financial regulations.

Analytics & Performance Data

We collect anonymous usage data to improve our platform:

  • Page views: Which pages are most visited (helps us improve navigation)
  • Feature usage: Which APIs are most popular (guides our development priorities)
  • Error rates: Which features have bugs (helps us prioritize fixes)
  • Load times: How fast pages load (helps us optimize performance)

This data is aggregated and anonymized. We do not track individual user behavior for marketing purposes.

Anonymous analytics data is retained indefinitely for long-term trend analysis.

Third-Party Data Sharing

We share limited data with the following trusted third-party services:

  • OpenAI: For AI-powered APIs (see AI Processing section above)
  • Polar.sh: For payment processing (only transaction data, not API usage)
  • Vercel: For hosting (infrastructure provider, no access to user content)
  • Neon: For database hosting (encrypted data storage)
  • Sentry: For error monitoring (only error logs, no personal data)

All third-party services are contractually bound by data processing agreements and cannot use your data for their own purposes.

Data You Control

You have complete control over your data:

  • View your data: Access all your account data, API usage history, and points transactions
  • Export your data: Download your complete data in JSON format
  • Delete your data: Permanently delete your account and all associated data
  • Manage tokens: Create, view, and revoke API tokens at any time
  • Update preferences: Change your email, password, and notification settings

Data Security

Industry-Leading Security Measures

We implement robust security measures to protect your API tokens and usage data:

  • End-to-end encryption for all API communications
  • AES-256 encryption for stored data
  • Regular security audits and penetration testing
  • SOC 2 Type II compliant infrastructure
  • Secure token generation and management with rate limiting
  • Secure backup and disaster recovery procedures

Your Rights

Access & Portability

You have the right to access all your data and export it in a structured, machine-readable format.

Correction & Updates

You can update your personal data at any time through your account settings or contact us to make corrections.

Deletion

You can delete your account and all associated data at any time. This action is irreversible.

Opt-Out

You can opt out of marketing communications at any time and restrict data processing for certain purposes.

Data Sharing

We Never Sell Your Data

AppHighway never sells, rents, or trades your personal data. Your privacy is not for sale.

We only share limited data with trusted third-party providers who help us deliver our services (such as hosting and payment processing via Polar).

Points System and Billing

How Points Are Tracked and Billed

AppHighway uses a transparent points-based billing system. Each API call consumes points based on computational cost (1-7 points per request).

Points and Usage Data:

  • Points are deducted before processing your API request
  • We track points usage for billing and analytics purposes
  • You can view your complete points usage history in your dashboard
  • Failed API requests do not receive point refunds (computational resources were still consumed)
  • Point purchases are processed securely through Polar.sh
  • All point costs are clearly documented for each API endpoint

AI Processing (OpenAI)

Use of OpenAI for AI-Powered APIs

We use OpenAI services to power our AI-based APIs such as sentiment analysis, feature generation, review summarization, and other AI endpoints.

Your Data and OpenAI:

  • OpenAI has no right to use your data to train their AI models
  • Your data is used exclusively to process your API requests via the OpenAI API
  • OpenAI does not permanently store your data sent via the API
  • We have an Enterprise agreement with OpenAI that includes additional data protection guarantees
  • All data is transmitted to OpenAI in encrypted form
  • We only send the minimum necessary data to fulfill your API request

Data Storage and Server Location

Your data is stored and processed on servers located in the United States. We use professional cloud hosting services (Vercel, Neon) that meet industry-leading security standards.

International Data Transfers

As our servers are located in the USA, data from EU users is transferred to the United States. We ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR for all EU data transfers
  • Regular assessment of data protection risks and implementation of additional safeguards
  • Encryption of all data during transmission and storage
  • Compliance with US data protection laws and best practices

GDPR Compliance

General Data Protection Regulation (GDPR) Compliance

AppHighway is fully compliant with the European Union's General Data Protection Regulation (GDPR). We are committed to protecting the privacy rights of all individuals in the European Economic Area (EEA) and worldwide.

Legal Basis for Data Processing

We process your personal data based on the following legal grounds under GDPR:

  • Consent (Art. 6(1)(a) GDPR): For optional features and marketing communications, we obtain your explicit consent
  • Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide our API services and manage your account
  • Legal Obligation (Art. 6(1)(c) GDPR): Compliance with tax laws, payment regulations, and other legal requirements
  • Legitimate Interest (Art. 6(1)(f) GDPR): Platform security, fraud prevention, and service improvements

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

  • Right to Information (Art. 13-14 GDPR): You have the right to be informed about how your data is collected and used
  • Right to Access (Art. 15 GDPR): You can request a copy of all personal data we hold about you
  • Right to Rectification (Art. 16 GDPR): You can request corrections to inaccurate or incomplete data
  • Right to Erasure (Art. 17 GDPR): You can request deletion of your data under certain circumstances
  • Right to Restriction (Art. 18 GDPR): You can request that we limit the processing of your data
  • Right to Data Portability (Art. 20 GDPR): You can receive your data in a machine-readable format
  • Right to Object (Art. 21 GDPR): You can object to processing based on legitimate interests or for direct marketing
  • Right Regarding Automated Decision-Making (Art. 22 GDPR): You have the right not to be subject to automated decisions with legal effects

Data Retention

We retain your personal data only as long as necessary to provide our services and comply with legal obligations:

  • Account data: Retained while your account is active
  • API usage logs: Retained for 24 months for billing and analytics purposes
  • Payment records: Retained for 7 years to comply with tax and financial regulations
  • Deleted accounts: All personal data is permanently deleted within 30 days after account deletion
  • Backup data: Permanently removed from backup systems within 90 days

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance. You can contact our DPO for all data protection matters:

  • Name: Andre Prochiner
  • Email: dpo@apphighway.com

We will respond to your request within 30 days as required by GDPR

Supervisory Authority

If you believe we are not complying with GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. For Austria, this is:

  • Austrian Data Protection Authority (Datenschutzbehörde)
  • Website: www.dsb.gv.at
  • Email: dsb@dsb.gv.at

Cross-Border Data Transfers

When we transfer your data outside the EEA (such as to our servers in the United States), we ensure GDPR-compliant safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all third-party processors
  • Transfer Impact Assessments to evaluate data protection risks
  • Enhanced encryption and security measures for international transfers

Detailed Cookie List

Cookies Used

The following list contains all cookies used by AppHighway. All listed cookies are essential for the operation of the platform.

better_call_session

Stores your session information after login. Enables authentication and access to your account. Automatically deleted when you log out or the session expires.

Duration: Session (deleted when logging out or after 30 days)

Type: Essential - HTTP-Only, Secure, SameSite

better_call_session_token

Secure token for authentication. Used to verify your identity for API requests and prevent unauthorized access.

Duration: Session (deleted when logging out or after 30 days)

Type: Essential - HTTP-Only, Secure, SameSite

theme

Stores your preference for light or dark mode. Allows the website to maintain your chosen theme on your next visit.

Duration: 1 year

Type: Essential - Functionality

NEXT_LOCALE

Stores your preferred language (German or English). Allows the website to automatically load in your chosen language.

Duration: 1 year

Type: Essential - Functionality

apphighway-cookie-consent

Stores your consent to the use of cookies. Prevents the cookie banner from being displayed on every visit after you have consented.

Duration: Unlimited (until deleted by user)

Type: Essential - Functionality

apphighway-cookie-consent-date

Stores the date when you consented to cookie usage. Used for compliance purposes.

Duration: Unlimited (until deleted by user)

Type: Essential - Functionality

No Tracking or Marketing Cookies

AppHighway does not use any third-party tracking, analytics, or marketing cookies. We respect your privacy and only use the minimally necessary cookies for platform operation.

Cookie Management

All cookies we use are essential for the operation of the website and cannot be disabled without affecting the functionality of the platform. You can delete cookies in your browser settings at any time, but this will result in logout and loss of your preferences.

Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16 without explicit parental consent.

Policy Changes

We may update this privacy policy occasionally. We will notify you of significant changes via email or through our platform. Continued use after changes constitutes your consent to the updated terms.

Contact Us

For questions about this privacy policy or your data rights, please contact us:

Email: support@apphighway.com

Address: Eichenweg 34b, 9581 Ledenitzen, Austria

Data Protection Officer: Andre Prochiner

Privacy Policy - AppHighway | GDPR Compliant & Secure API Marketplace